Widely-used PremiSys access control system features four zero-day vulnerabilities

Widely-used PremiSys access control system features four zero-day vulnerabilities

Widely-used PremiSys access control system features four zero-day vulnerabilities

The popular PremiSys access control system, which is used by Fortune 500 companies, universities, medical centres and government agencies to secure their offices, has been found to contain zero-day vulnerabilities that could allow criminals to enter restricted spaces by creating fraudulent badges and disabling building locks.

The PremiSys access control system, a product of US-based IDenticard whose ID badging programmes and identification solutions, ID card accessories, Visitor Management systems and access control systems are used by tens of thousands of firms worldwide, has been found featuring four zero-day vulnerabilities that can be exploited by cyber criminals to access the badge system database and gain covert access to premises of targeted organisations.

IDenticard's PremiSys access control system allows customers to connect to and monitor their access control system from anywhere. Controls include locking and unlocking doors remotely, responding to and clearing alarms, adding new cardholders, and viewing surveillance video feeds from smartphones.

Critical vulnerabilities yet to be patched

According to security firm Tenable Inc, the PremiSys access control system features as many as four zero-day vulnerabilities, fixes to which may not be available as IDenticard did not respond to the firm's alerts. As such, individual users will have to deploy mitigation tools to prevent a breach until IDenticard comes up with a software update to patch all the highlighted vulnerabities.

The vulnerability CVE-2019-3906 refers to the fact that the software contains hardcoded credentials and allows the administrator access to the entire service via the PremiSys Windows Communication Foundation (WCF) Service endpoint. These credentials cannot be changed by individual users and can be usd by attackers to dump contents of the badge system database, modify contents, or other various tasks with unfettered access.

Researchers at Tenable also found that the access control software stores user credentials and other sensitive information with a known-weak encryption method that can be easily breached, and that Identicard backups are stored in a password-protected zip file with the password hardcoded into the application.

The researchers also found that whenever an organisation installs the PremiSys access control system, employees need to type in a default username/password combination (PremisysUsr/ID3nt1card) to start using it. There is also a longer password option which is also a default one (ID3nt1cardID3nt1card) but organisations can only replace them with unique passwords by sending custom passwords to the vendor directly in order to receive an encrypted variant to use in their configurations.

Need for a wider dialogue within the security industry

"An organisation’s security purview is no longer confined by a firewall, subnets, or physical perimeter — it’s now boundaryless. This makes it critically important for security teams to have complete visibility into where they are exposed and to what extent,” said Renaud Deraison, co-founder and chief technology officer, Tenable.

"Unfortunately, many manufacturers in the new world of IoT don’t always understand the risks of unpatched software, leaving consumers and enterprises vulnerable to a cyber attack. In this case, organisations that use PremiSys for access control are at a huge risk as patches are not available.

"Beyond this particular issue, the security industry needs to have a wider dialogue about embedded systems and their maintainability over time. The complexity of the digital infrastructure is increasing, and so is its maintenance. We need vendors to be committed to delivering security patches in a timely manner, and in a fully automated way," he added.

ALSO READ: 60 percent firms use advanced technology without proper security

Copyright Lyonsdown Limited 2021

Top Articles

It’s time to upgrade the supply chain attack rule book

How can infosec professionals critically reassess how they detect and quickly prevent inevitable supply chain attacks?

Driving eCommerce growth across Africa

Fraud prevention company Forter has partnered with payments technology provider Flutterwave to drive eCommerce growth across Africa and beyond.

Over 500,000 Huawei phones found infected with Joker malware

The Joker malware infiltrated over 500,000 Huawei phones via ten apps using which the malware communicates with a command and control server.

Related Articles